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Abstract.  We  present  the  propositional  fragment  CLFo  of  the  Concurrent 
Logical  Framework  (CLF).  CLF  extends  the  Linear  Logical  Framework  to 
allow  the  natural  representation  of  concurrent  computations  in  an  object 
language.  The  underlying  type  theory  uses  monadic  types  to  segregate 
values  from  computations.  This  separation  leads  to  a  tractable  notion  of 
definitional  equality  that  identifies  computations  differing  only  in  the  order 
of  execution  of  independent  steps.  FVom  a  logical  point  of  view  our  type 
theory  can  be  seen  as  a  novel  combination  of  lax  logic  and  dual  intuitionistic 
linear  logic.  An  encoding  of  a  small  Petri  net  exemplifies  the  representation 
methodology,  which  can  be  summarized  as  “ concurrent  computations  as 
monadic  expressions”. 

1  Introduction 

A  logical  framework  is  a  meta-language  for  deductive  systems.  It  is  usually  defined 
as  a  formal  meta-logic  or  type  theory  together  with  a  representation  methodology. 
A  single  implementation  of  a  logical  framework  can  then  be  used  to  study  a  va^ 
riety  of  deductive  systems,  thereby  factoring  the  effort  that  would  be  required  to 
implement  each  deductive  system  separately.  Applications  of  logical  frameworks 
lie  mostly  in  logic  and  programming  languages,  where  deductive  systems  have  be¬ 
come  a  common  conceptual  tool  and  presentation  device.  Examples  are  rules  of 
logical  inference,  typing  rules,  and  rules  specifying  the  operational  semantics  of 
a  programming  language.  Tasks  carried  out  with  the  help  of  logical  frameworks 
include  proof  checking,  proof  search,  and  establishing  metartheoretic  properties  of 
deductive  systems.  For  an  overview  and  introduction  to  logical  frameworks,  their 
applications,  and  further  pointers  to  the  literature  see  [4, 32,29]. 

The  language  features  provided  by  a  logical  framework  have  a  major  impact 
on  each  task  it  supports.  The  right  features  can  help  make  representation  of  de¬ 
ductive  systems  clear,  direct,  concise,  and  therefore  easy  to  read  and  understand. 
Such  elegance  can,  in  turn,  make  an  enormous  difference  when  it  comes  to  proof 
checking,  proof  search,  and  constructing  meta-theoretic  proofe.  Still,  each  feature 
we  add  to  a  logical  framework  must  be  well  justified  as  the  design  effort  is  signifi¬ 
cant  and  a  robust  framework  must  satisfy  many  subtle  properties.  Hence,  to  design 
an  effective  framework,  we  should  identify  features  that  most  effectively  support 
recurring  idioms  in  the  definition  and  manipulation  of  deductive  systems. 
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Some  of  the  most  commonly  recurring  concepts  in  deductive  systems  are  pa¬ 
rameterization  and  variable  binding:  quantified  formulas  are  pervasive  in  logic; 
programming  languages  contain  parameterized  expressions  such  as  functions,  ob¬ 
jects,  modules,  and  others;  and  inference  rules  and  deductions  themselves  are  often 
parameterized.  LF  [18]  and  other  frameworks  provide  intrinsic  support  for  param¬ 
eterized  objects  through  dependent  functions.  Common  tasks  such  as  renaming 
variables  and  substitution  need  not  be  coded  up  explicitly,  as  they  are  handled 
automatically  by  the  framework  when  the  appropriate  representation  strategy  is 
chosen.  With  this  support,  simple  phenomena  such  as  a-convertibility  and  syn¬ 
tactic  substitution  have  simple  representations  in  the  framework,  so  users  of  the 
framework  can  focus  their  efforts  on  truly  complex  phenomena  of  the  system  under 
investigation. 

With  dependent  functions  alone,  however,  representation  of  stateful  program¬ 
ming  languages  can  be  clumsy  and  complex.  In  order  to  better  accommodate 
reasoning  with  state,  LF  has  been  extended  with  selected  constructs  from  linear 
logic,  giving  rise  to  the  logical  frameworks  LLF  [12]  and  RLF  [21].  In  these  frame¬ 
works,  users  can  represent  state  as  linear  hypotheses  and  imperative  computations 
as  linear  functions,  yielding  more  concise  representations  than  are  possible  in  LF. 
Since  the  state  concept  pervades  deductive  systems  of  many  different  kinds,  we 
judge  this  extension  to  be  justified,  though  at  present  there  is  much  less  practical 
experience  with  such  linear  fr  ameworks. 

Unfortunately,  LF,  as  well  as  LLF  and  RLF,  lack  effective  support  for  represent¬ 
ing  or  manipulating  systems  involving  concurrency,  which  has  come  to  be  nearly  as 
pervasive  as  state.  The  obvious  encodings  of  concurrent  programming  languages  in 
LLF  force  a  transformation  of  the  operational  semantics  into  continuation-passing 
style  (see  the  example  in  Section  2.1),  thereby  fixing  the  order  of  all  steps  in  a 
concurrent  computation.  This  amounts  to  an  interleaving  semantics  for  concur¬ 
rency  rather  than  a  truly  concurrent  one.  While  it  is  possible  to  develop,  within 
the  framework,  explicit  judgments  specifying  which  computations  should  be  con¬ 
sidered  equivalent,  reasoning  with  or  about  such  a  specification  can  be  exceedingly 
cumbersome. 

Concurrent  LF  (CLF),  the  topic  of  this  paper,  is  a  new  logical  framework  that 
extends  LLF  with  additional  linear  constructs  {Ai  ®  A2,  1,  and  3x:Ai.A2)  that 
make  it  possible  to  represent  concurrent  computations  in  a  natural  and  convenient 
fashion.  However,  if  they  were  added  freely,  these  new  connectives  would  inter¬ 
fere  with  standard  representation  techniques  and  would  destroy  one  of  the  most 
fundamental  properties  of  an  LF-style  frameworks  namely,  that  the  structure  of  a 
canonic^ll  form  is  essentially  determined  by  its  type.  To  avoid  these  problems,  we 
take  the  further  step  of  encapsulating  these  new  primitives  by  nieans  of  a  monad 
that  protects  the  conventional  LF  and  LLF  fragments  of  the  framework.  Within 
the  monad,  the  natural  equational  theory  of  our  additional  operators  gives  rise  to 
a  notion  of  definitional  equality  that  makes  representations  of  concurrency  ade¬ 
quate  by  ensuring  that  different  interleavings  of  independent  concurrent  steps  are 
indistinguishable.  Although  monads  have  been  used  to  separate  pure  and  effect¬ 
ful  computations  in  functional  programming  languages,  to  the  authors’  knowledge 
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this  is  their  first  use  in  a  logical  firamework  or  theorem-proving  environment  to 
separate  one  logic  from  another. 

Developing  a  logical  framework  goes  beyond  assembling  a  toolkit  of  useful 
representation  mechanisms.  The  bulk  of  the  effort  consists  of  proving  that  the 
resulting  language  is  well  behaved  for  the  purposes  of  both  representation  and 
computation.  For  example,  it  is  highly  desirable  that  type  checking  be  decidable 
in  a  logical  framework  based  on  type  theory.  As  the  language  expands,  going  from 
LF  to  LLF  to  CLF,  the  difficulty  of  this  meta^theoretic  investigation  grows  at  an 
alarming  rate,  even  for  experienced  researchers.  In  order  to  offset  this  increasing 
complexity  the  present  paper  also  introduces  a  new  methodology  for  developing 
the  meta-theory  of  LF-style  logical  frameworks.  It  is  based  on  the  observation 
that,  since  LF-style  representations  rely  exclusively  on  canonical  forms,  there  is 
no  need  for  the  framework  to  define — or  the  meta^theory  to  investigate — anything 
but  canonical  forms.  This  is  accomplished  using  an  inductive  notion  of  instan¬ 
tiation,  replacing  normalization  with  respect  to  /3-reduction  used  in  traditional 
presentations. 

The  present  paper  concentrates  on  CLFq,  the  propositional  sublanguage  of 
CLF,  which  already  exhibits  the  principal  phenomena  concerning  concurrency. 
The  use  of  the  framework  is  illustrated  by  an  encoding  of  Petri-net  computations, 
a  simple  but  fundamental  model  of  concurrency.  The  interested  reader  is  referred 
to  the  accompanying  technical  reports  [36, 13]  for  the  definition  of  full  CLF,  the 
development  of  its  meta-theory  [36],  and  a  number  of  larger  examples  [13].  These 
examples  include  an  encoding  of  a  version  of  ML  that  supports  suspensions  with 
memoization,  mutable  references,  futures  in  the  style  of  Multilisp  [17],  concurrency 
in  the  style  of  CML  [35],  and  more.  They  also  include  a  language  for  the  represen¬ 
tation  of  security  protocols  based  on  multiset  rewriting  [11],  and  representations 
of  the  synchronous  and  asynchronous  w-calculus  [26]. 

The  remainder  of  this  paper  is  organized  as  follows.  In  Section  2  we  define 
CLFq,  including  its  syntax,  typing  rules,  and  definitional  equality.  Section  3  de¬ 
velops  the  meta-theory  of  CLFq,  proving  decidability  of  typing  and  definitional 
equality.  This  is  followed  by  a  discussion  of  related  work  in  Section  4  and  a  con¬ 
clusion  (Section  5)  with  some  comments  on  future  work. 

2  Propositional  CLF 

We  introduce  the  propositional  fragment  of  the  concurrent  logical  framework  in 
stages.  In  the  first  stage,  we  briefly  review  the  linear  logiced  framework  (LLF),  its 
properties,  and  its  shortcomings  with  respect  to  concurrency.  The  following  stages 
describe  the  extensions  yielding  CLF,  which  aim  to  address  these  shortcomings. 

2.1  The  Linear  Fragment 

The  propositional  fragment  LLFo  of  the  linear  logical  framework  [12]  is  based 
on  unrestricted  and  linear  hypothetical  judgments  F,  A  \-z  M  A  where  F 
is  a  context  of  unrestricted  hypotheses  w.A  (subject  to  exchange,  weakening,  and 
contraction) ,  ^  is  a  context  of  linear  hypotheses  x'^A  (subject  only  to  exchange) ,  M 
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is  an  object  and  ^4  is  a  type.  The  signature  E  declares  the  base  types  and  constants 
from  which  objects  are  constructed.  Under  the  Curry- Howard  isomorphism,  M  can 
also  be  read  as  a  proof  term,  and  >4  as  a  proposition  of  intuitionistic  linear  logic 
in  its  formulation  as  DILL  [3]. 

Since  the  signature  is  fixed  for  a  given  typing  derivation,  we  henceforth  suppress 
it  for  the  sake  of  brevity.  In  addition,  syntactic  objects  are  considered  only  up  to 
a-equivalence  of  their  bound  variables.  Exchange  is  not  noted  explicitly  in  the 
typing  rules,  and  only  instances  of  the  typing  rules  for  which  all  variables  in  the 
contexts  have  unique  names  are  allowed. 

The  LF  representation  methodology  establishes  a  bijection  between  canonical 
objects  of  appropriate  type  and  the  terms  and  deductions  of  an  object  language 
to  be  represented.  The  appropriate  notion  of  “canonical”  turns  out  to  be  long 
/37j-normal  form.  In  order  to  define  these  inductively,  the  single  typing  judgment 
F;  M  :  Ais  refined  into  two  judgments: 

F]  A  h  N  A  N  is  canonical  of  type  A 

F;  A  R  ^  A  R  is  atomic  of  type  A 

A  canonical  object  N  is  an  introduction  form  or  is  an  atomic  object  of  base  type. 
An  atomic  object  R  is  a  sequence  of  elimination  forms  applied  to  a  variable  or 
constant.  Further  judgments  check  that  types,  contexts,  and  signatures  are  well- 
formed;  they  are  omitted,  being  entirely  straightforward  for  the  propositional  frag¬ 
ment. 

The  types  of  LLFo  are  freely  generated  from  the  constructors  -o,  — &:  and  T 
and  base  types.  These  comprise  the  largest  fragment  of  intuitionistic  linear  logic 
with  traditional  connectives  for  which  unique  canonical  forms  exist.  This  property 
is  essential  for  the  use  of  LLFo  as  a  logical  framework,  because  of  the  central  role 
of  canonical  forms  in  its  representation  methodology.  The  syntax  and  the  typing 
rules  for  the  canonical  variant  of  LLFo  are  shown  in  Figure  1. 

Example.  The  Petri  net  in  Figure  2  will  serve  as  a  running  example  of  the  various 
encoding  techniques  used  in  this  paper.  The  representation  of  Petri  nets  in  linear 
logic  goes  back  to  Martf-Oliet  and  Meseguer  [24]  and  has  been  treated  several  times 
in  the  literature.  Familiarity  with  Petri  nets  is  assumed,  and  their  encoding  is  only 
given  by  example.  We  shall  however  stress  that  we  are  adopting  the  “individual 
token  philosophy”  [8]  by  which  the  tokens  within  a  place  are  not  interchangeable. 
A  planned  extension  of  CLF  with  the  notion  of  proof  irrelevance  [31,34]  would 
allow  a  direct  encoding  of  the  more  mainstream  “collective  token  philosophy”. 
Further  details  may  be  found  in  the  companion  technical  report  [13]. 

Each  place  in  a  Petri  net  is  represented  by  a  type  constant  p.  The  state  of  the 
net  is  encoded  as  a  collection  of  linear  hypotheses:  there  is  an  assumption  a:*p  for 
every  token  in  place  p.  There  is  also  a  separate  type  constant  X  representing  an 
(unspecific)  goal  state. 

For  each  transition  t  there  is  an  object  constant^ 

t :  (9i  -o  . . .  -o  -o  X)  -o  (pi  -o  . . .  -opm  -o  X) 

^  We  adopt  the  convention  that  the  connective  -o  is  right  associative. 
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Fig.  1.  The  LLFo  Language 
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expressing  that  the  goal  state  X  can  be  reached  from  a  state  with  tokens  in  places 
Pi  )•••)  Pm  if  the  goal  can  be  reached  from  the  state  with  tokens  in  places  gi , . . . ,  9n 
instead.  Such  a  rule  can  be  read  as  removing  tokens  from  pi, . . .  ,Pm  and  placing 
them  on  qi,.-.,qn- 

The  initial  state  of  the  net  in  Figure  2  is  represented  by 

^0  =  n^r,  ni*n,  1x2  *n,  6i'?'b,  62  ^b,  63%, 

and  the  transitions  are  represented  by  the  following  signature. 

P  :  (r-oX)-o(p-oX)  A  :  (c-oX)-o(b-ob-oa-oX) 

R  :  (p  -o  n  -o  b  -o  X)  -o  (r  -o  X)  C  :  (a  -o  X)  -o  (c  -o  X) 

The  adequacy  theorem  for  this  representation  states  that: 

Final  state  qi,...,qn  can  be  reached  from  initial  state  pi, . . .  ,Pm  iff  there 
is  a  canonical  object  N  such  that 

.;  .  h  AT  «?=  (91  -o  . . .  -o  -o  X)  -o  (pi  -o  . . .  -opm  -o  X) 

Moreover,  there  is  a  bijection  between  sequences  of  brings  of  the  transition 
rules  of  the  Petri  net  (according  to  the  individual  token  philosophy)  and 
such  canonical  objects. 

By  forcibly  distinguishing  sequences  of  firings,  the  LLFq  representation  fails  to 
capture  the  inherent  concurrency  of  a  Petri  net.  For  example,  in  the  state  in 
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Ready  to  release  (r)  Counter  (n)  Reeidy  to  consume  (c) 


Ready  to  produce  (p)  Ready  to  acquire  (a) 


Fig.  2.  A  Producer/Consumer  Petri  Net  with  Labeled  Marking 


Figure  2,  the  R  and  A  transitions  can  both  fire,  and  do  not  interfere  with  each  other. 
However,  our  current  representation  yields  different  terms  for  the  two  interleavings: 

•; /\o, /^(c -o  b -o  b -o  n -o  n -o  n -o  p -o  X) 

•; /io) /^(c -o  b -o  b -o  n -o  n -o  h -o  p -o  X) 

h  A'^(^ci.  R'^C^Pi.  ^na.  ^64. <!=  X 

The  only  way  to  identify  these  executions  in  LLF  is  to  write  higher-level  judg¬ 
ments  explicitly  relating  the  representations  of  admissible  interleavings  of  the  same 
trace.  This  is  undesirable  for  two  reasons:  first  these  declarations  are  complicated 
even  for  simple  nets;  second,  we  would  need  to  rewrite  them  from  scratch  for  every 
new  net  we  consider.  Note  that  this  also  forces  us  to  abandon  the  propositional 
language  LLFo  for  the  dependency  typed  LLF. 

Given  how  pervasive  this  problem  is  when  analyzing  concurrent  systems,  we 
devised  an  extension  of  LLFo  that  views  executions  such  as  the  above  as  partial 
orders,  identifying  all  of  their  admissible  interleavings.  We  will  describe  this  lan¬ 
guage,  CLFo,  in  the  next  two  sections:  we  first  introduce  sufficient  infrastructure 
to  provide  an  alternative  to  the  continuation-passing  style  of  representation  forced 
by  LLF  (as  witnessed  by  the  spurious  goal  state  X).  We  then  adjust  the  notion  of 
definitional  equality  so  that  independent  steps  can  commute. 


2.2  The  Monadic  Fragment 

A  simple  attempt  to  represent  Petri  nets  without  the  continuation-passing  trans¬ 
formation  would  introduce  the  lineeir  logic  connective  ®  arid  its  unit  1  to  the 
framework  [9].  The  LLFo  transition 

t  :  (91 -o  . . . -o  -o  X) -P  (pi -o  . . . -op„ -o  X) 

would  then  be  replaced  with  the  more  straightforward 

t'  :  Pi  ® ...  ®  Pm  -o  9i  ®  ■■■  iE»  9n 
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However,  this  language  does  not  meet  the  criteria  we  require  of  a  logical  frame¬ 
work.  Modeling  reachability  is  not  enough:  we  also  want  to  establish  a  bijection 
between  Petri  net  computations  and  appropriately  typed  objects  in  the  frame¬ 
work.  If  LLFo  is  extended  with  all  (or  even  some)  additional  connectives  of  dual 
intuitionistic  linear  logic  a  number  of  problems  establishing  adequate  encodings 
arise.  The  most  immediate  is  that  adding  an  object  with  any  of  these  types  can 
destroy  the  adequacy  of  completely  unrelated  encodings  in  the  framework. 

Observing  the  declarations 

c  :  1 

nat  :  type 

we  see  that  nat  contains  not  only  terms  such  as  z  and  s  z  but  also  (let  1  =  c  in  z). 
There  is  no  longer  a  bijective  correspondence  of  the  type  nat  with  the  set  of 
natural  numbers.®  Similar  examples  would  arise  in  the  presence  of  a  constant  of 
type  A®  B  or  lA.  While  such  a  language  might  technically  be  conservative  over 
LLFo,  it  would  be  impossible  to  embed  an  LLFq  encoding  in  a  larger  signature 
using  the  new  types — ^the  adequacy  of  the  LLFo  encoding  would  be  destroyed. 

The  underlying  issue  here  is  difficult  to  characterize  formally,  but  it  can  be 
stated  informally  as  follows:  the  structure  of  canonical  forms  should  be  type- 
directed.  This  leads  to  the  inversion  principles  necessary  to  prove  the  adequacy 
of  encodings.  For  example,  we  would  like  to  know  that  every  term  of  type  nat 
is  of  the  form  z  or  s  t  where  t  :  nat.  It  is  easy  to  see  that  the  unrestricted  use 
of  elimination  forms  such  as  (let  1  =  t  in  t')  subverts  this  principle,  because  the 
subterm  t  is  not  constrained  by  the  tsqie  of  the  overall  term. 

In  order  to  obtain  a  tractable,  yet  sufficiently  expressive  type  theory  we  employ 
a  technique  familiar  from  functional  programming,  which  does  not  appear  to  have 
been  used  in  logical  frameworks  or  theorem  provers:  use  a  monad  [27]  to  encapsu¬ 
late  the  effects  of  concurrency.  This  encapsulation  protects  the  equational  theory 
of  LLFq.  Moreover,  the  notion  of  canonical  form  outside  the  monad  extends  the 
prior  notions  conservatively.  This  property  of  the  method  should  not  be  underesti¬ 
mated,  because  it  means  that  all  encodings  already  devised  for  LF  or  LLF  remain 
adequate,  and  their  adequacy  proofs  can  remain  exactly  the  same! 

We  write  {j4}  for  the  monad  type,  which  in  lax  logic  would  be  written  OA  [33]. . 
But  which  types  should  be  available  inside  the  monad?  They  must  be  expressive 
enough  to  represent  the  state  after  a  computation  step  in  the  concurrent  object 
language.  This  is  most  naturally  represented  by  the  multiplicative  conjunction  (gi. 
Then  our  transition  rule  can  be  written 

:  Pi -o  ■  •  • -opm -o  {9i  ®  ®  9n} 

where  currying  eliminates  the  use  of  ®  on  the  left-hand  side.  In  order  to  cover  the 
case  n  =  0  the  multiplicative  unit  1  is  included.  Though  it  does  not  arise  in  this 
example,  a  transition  could  also  generate  an  element  of  persistent  (unrestricted) 
type,  so  we  also  allow  types  I  A.  We  call  the  new  types  synchronous,  borrowing 

®  Examples  such  as  (Ax.  let  1  =  x  in  z  :  1  -onat)  show  that  the  term  above  cannot  simply 
be  equal  to  z. 


z  :  nat 

s  :  nat  — >  nat 
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N  :: 

A,B,C 

=  ...|{S} 

Er. 

S 

=  Si  0  S2  1  1  1  U  1  A 

p  :: 

=  p*S,!f’l- 

Mr. 

r-,A\-  E^S 
r;  4 1-  {£}  ^  {5} 


{}i 


=  . ..]{£} 

=  let  {p}  =  Rm  E  \  M 

=  Pi  ®  P2  1 1  I  !tt  I  X 

=  Mi(g,M2\l\\N\N 


r;Aii-R=^  {5o}  T;  A^-,  p^So  ^  E  <- S 
A  Ai,A2h  (let  {p}  =R\nE)*-S 

r-,  A  i-  E^S 


{}E 


r;AhM->-S 

A  A  pi'^Si,p2'^S2,^i-E<-S 

A  A-,  Pi  0  p2*Si  0  52,!?’  h  E  . 
r,u:A-,  A  ^}-E^S 

r\  Al  h  Ml  ^  Si  Py  A2  I"  M2  S2 
P-,  Ai,  A2  1“  Ml  0  M2  ■<=  Si  0  S2 


0L 


01 


P-,  A-,  ■  E  <- S 
P;A-,\l'\-E> 


A  A 

A  A,x'^A-,^}-  E*--  S 
PvA\x'^A,9\-  E  *-  S  ^ 

P;-hN< 


IL 


A  -  I-  1  <=  1 


II 


A  -H  W«=U 


II 


Fig.  3.  The  CLFo  Extensions  to  LLFo 


terminology  from  Andreoli  [2],  and  denote  them  by  S.  The  resulting  extension  to 
the  language  of  types  is  shown  in  Figure  3. 

The  language  of  objects  is  extended  accordingly.  The  synchronous  types  S 
type  monadic  expressions  E.  The  introduction  forms  M  are  constructors  for  mul¬ 
tiplicative  pairs,  the  multiplicative  unit,  and  the  unrestricted  modality  (!).  The 
elimination  form  is  a  let  binding  eliminating  the  monad  eind  matching  the  syn¬ 
chronous  constructors  against  a  pattern  p.  To  our  knowledge,  this  canonical  for¬ 
mulation  of  the  proof  term  assignment  for  lax  logic  is  novel.  Patterns  axe  classified 
by  synchronous  types  S  and  are  collected  into  a  context  9. 

There  are  three  typing  judgments  in  addition  to  the  judgments  already  noted 
for  LLFq: 

r-,A\-EEi-S  r-,A;^\-j:E*-S  r-,A\-sM<=:S 

The  extended  language  CLFq  inherits  all  the  typing  rules  eilready  presented 
for  LLFq.  The  additional  typing  rules  are  shown  in  Figure  3.  First,  there  are 
introduction  and  elimination  rules  for  {}  ({}I  {}E).  We  can  see  that  a  monadic 
expression  is  a  sequence  of  let  forms,  ending  in  a  monadic  object.  Immediately 
after  each  let  the  pattern  is  decomposed  into  assumptions  of  the  form  x'^A  or 
u:A  and  the  body  of  the  let  is  checked.  This  is  the  purpose  of  the  judgment 
r,  A,  ^  b  E  *—  S,  defined  by  the  next  group  of  rules  {®L  IL  !L  AL).  These 
correspond  to  left  rules  in  a  sequent  calculus.  Finally,  there  are  rules  to  introduce 
the  monadic  objects  at  the  end  of  a  sequence  of  {}E  eliminations  (®I  II  !I). 
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Example  revisited.  The  Petri  net  in  Figure  2  is  now  represented  almost  as  in 
dual  intuitionistic  linear  logic  [3],  except  that  the  right-hand  sides  of  the  linear 
implications  use  the  monad. 

P:p-c{r}  A  :  b-ob-oa-o{c} 

R  :  r  — o  {p  ®  n  (gi  b}  C  :  c -o  {a} 

The  monadic  encapsulation  and  the  canonical  forms  of  monadic  expressions 
tightly  constrain  the  form  of  objects  constructed  from  this  signature.  Adopting 
a-equi valence— for  the  moment — as  the  framework’s  definitional  equality,  there  is 
an  analog  of  the  earlier  adequacy  theorem. 

The  example  firings  are  rewritten  as  follows. 

•;  Ao  I-  {let  {pi  0  7X3  (g)  64}  = 

■  let  .{ci}  =  A^6i^62^ui  iu 

Cl  0  63  0  64  0  7Xi  0  7X2  0  7x3  0  Pi }  4=  {c  0  b  0  b  0  n  0  n  0  n  0  p} 

•;  .Aq  H  {let  {ci}  =  A% ''62^01  in 

let  {pi  0  7x3  0  64}  =  RVi  in 

Cl  0 63 0 64 0 7x1  0rx2  07X3  0pi}  {c0b0b0n0n0n0p} 

With  the  introduction  of  synchronous  connectives,  and  their  encapsulation 
within  the  monadic  construction,  we  have  achieved  a  simple  encoding  of  Petri 
nets  and  provided  a  syntax  for  executions  that  is  separate  from  the  traditional 
LLFo  terms.  However,  a-equivalence  still  distinguishes  the  two  executions  above 
despite  the  fact  that  their  R  and  A  transitions  are  independent.  Since  the  two  lets 
bind  and  use  different  variables,  we  should  be  able  to  identify  their  permutations, 
with  the  sandboxing  effect  of  the  monad  protecting  the  surrounding  LLFo  terms. 
We  will  now  formalize  this  intuition. 


2.3  Concurrent  Equality 

In  essence,  our  objective  is  to  identify  all  the  usual  commuting  conversions  between 
synchronous  operators,  but  have  them  stop  at  the  monadic  membrane.  In  keeping 
with  the  philosophy  espoused  here  of  presenting  the  core  concepts  of  the  framework 
computationally,  we  give  a  direct  definition  of  this  concurrent  equality  as  a  decision 
procedure.  Figure  4  shows  the  new  syntax  and  inference  rules  associated  with  the 
definition. 

The  definition  relies  on  the  subsidiary  concept  of  a  concurrent  context.  As  usual, 
the  notation  e\E]  stands  for  the  expre^ion  constructed  by  replacing  the  hole  []  in 
€  with  E. 

The  judgment  Ei  =c  Eh  holds  when  E\  and  E2  represent  the  same  underlying 
concurrent  computation  even  though  their  syntactic  representations  may  differ. 
The  rule  marked  {*)  is  subject  to  the  side  condition  that  no  variable  bound  by  p 
be  free  in  the  conclusion  or  bound  by  the  context  e,  and  that  no  variable  free  in 
R2  be  bound  by  the  context  e.  Intuitively,  this  rule  expresses  that  we  have  to  find 
a  subcomputation  R2  of  the  right-hand  side  that  starts  with  the  same  step  Rj  as 
the  left-hand  side.  Furthermore,  the  remaining  computation  Ei  on  the  left-hand 
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t  ::=  (]  I  let  {p}  =  /i  in  c 


Ml  =  Mi  _ fli  =  Rj  El  =c  £[^2]  ^  El  =c  Ei 

Ml  =e  Mi  (let  {p}  =  Ri  in  Ei)  =c  «[let  {p}  =  Ri  in  Ei\  Ei  —  Ei 

{*)  No  variable  bound  by  p  is  free  in  the  conclusion  or  bound  by  the  context  e,  and  no 
variable  free  in  Ri  is  bound  by  the  context  e. 

Fig.  4.  Concurrent  Equality 


side  must  equal  the  remaining  computation  on  the  right-hand  side,  which  consists 
of  the  steps  preceding  R2  (in  «)  and  those  following  R2  (in  E2)  composed  in  £[£^2]- 
There  are  also  unmarked  equality  judgments  Ni  =  N2,  Ri  =  R2,  and  Mi  =  M2 
and  congruences  for  them  (not  shown).  An  equality  judgment  is  not  taken  to  mean 
anything  in  particular  unless  the  subjects  of  the  judgment  are  well  typed.  A  typed 
equality  judgment  F,  A  Ni  =  N2  <=  A  can  then  be  defined  by  {F;  A\-  Ni  4= 
A)  A(F-,A\-N2<=A)A  (Ni  =  N2). 

Returning  to  the  Petri-net  example  developed  in  Section  2.2,  it  is  easy  to  show 
that  the  two  CLFq  objects  corresponding  to  the  two  different  interleavings  of  the 
example  Petri  net  execution  are  concurrently  equal.  This  is  crystallized  as  a  better 
adequacy  theorem: 

Final  state  91, . . .  ,9n  can  be  reached  from  initial  state  iff  there 

is  a  canonical  object  N  such  that 

•  h  A  <=  Pi -o  . . . -op„, -o  {gi  (g> . . .  (gi 


Moreover,  there  is  a  bijection  between  concurrent  executions  Ctraces^  of 
the  transition  rules  of  the  Petri  net  (according  to  the  individual  token  phi¬ 
losophy)  and  equivalence  classes  of  such  canonical  objects  modulo  =. 

3  Meta-theory 

This  section  sketches  the  meta- theory  of  the  canonical  formulation  of  CLFq.  Ad¬ 
ditional  deteiils  and  a  development  of  the  dependent  case  may  be  found  in  the 
companion  theory  technical  report  [36], 


3.1  Identity  and  substitution  properties 

As  discussed  in  Section  2,  the  CLFq  framework — and  full  CLF  as  well — syntactically 
restrict  the  form  of  objects  so  that  they  will  always  be  canonical.  This  is  a  good 
design  choice  in  the  logical  frameworks  context,  but  it  carries  with  it  the  obliga^ 
tion  to  ensure  that  the  underlying  logic  (via  the  Curry-Howard  isomorphism,  if 
you  like)  is  sensible.  In  particular,  the  principles  of  identity  and  substitution  must 
hold. 
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Identity.  Unrestricted  case:  For  any  F  and  A,  r,u:  A;  ■  N  <=  A  ior 
some  N.  Linear  case:  For  any  F  and  A,  T;  x'^A  h  iV  ■<=  >4  for  some  N. 

Substitution.  Unrestricted  case:  if  F;  ■  Nq  A  and  F,u:A;  Ai-  N  <= 

C  then  F;  Ah  N'  C  for  some  N'.  Linear  case:  if  F;  h  ATq  4=  A  and 
F;  A^,x^A  h  N  ■i=  C  then  F;  A\,A2hN'<=C  for  some  N'. 

In  the  standard  reduction-oriented  treatment  of  proofs,  these  are  fairly  trivial, 
because  variables  and  general  terms  are  in  the  same  syntactic  category.  Substi¬ 
tution  simply  syntactically  replaces  the  target  variable  with  the  substituend — 
possibly  creating  redices.  Here,  redices  are  not  syntactially  allowed,  and  variables 
are  syntactically  atomic  while  general  terms  are  syntactically  normal,  so  it  is  not 
possible  to  directly  replace  a  variable  with  a  substituend.  By  the  same  token,  a 
variable  of  higher  type  cannot  stand  by  itself  as  a  canonical  object — canonical  ob¬ 
jects  of  higher  type  must  be  introduction  forms — so  the  identity  principle  cannot 
be  witnessed  by  a  bare  variable. 

Instead,  the  meta-theory  of  CLF  relies  on  algorithms  that  compute  witnesses 
to  the  identity  and  substitution  principles.  These  are,  respectively,  the  expansion 
algorithm  and  the  instantiation  algorithm.^ 

Principle  Algorithm  Supersedes  Notation 

Substitution  Instantiation  /^-normalization  inst.nyi(x.  iV,  TVq)  =  TV' 

Identity  Expansion  7j-normalization  expand^  (F)  =  N 

Think  of  the  instantiation  operator  inst_n>i(i.  TV,  No)  as  computing  the  canon¬ 
ical  form  of  the  result  of  instantiating  the  variable  x  in  the  object  TV  with  the 
object  TVq.  The  instantiation  operator  is  indexed  by  the  type  A  of  the  substituend 
TVq.  If  a  is  a  base  type,  we  have  instjiyi(x.  TV,  TVq)  =  [TVo/x]Ar;  that  is,  instantiation 
reduces  to  ordinary  syntactic  substitution.  At  higher  type  more  complex  situations 
arise. 

Dually,  we  think  of  the  expansion  operator  expand^(ii)  as  computing  the 
canonical  form  of  the  atomic  object  R  of  putative  type  A.  This  is  analogous  to 
t/-expansion,  except  that  the  term  R  and  its  expansion  inhabit  different  syntactic 
categories  if  A  is  a  higher  type. 

These  algorithms  must  be  (and  are)  effectively  presented,  because  the  typing 
judgment  of  the  full  dependent  type  theory  appeals  to  instantiation,  and  effective 
typing  is  central  to  the  logical  framework  concept.  The  use  of  the  instantiation 
algorithm  in  dependent  typing  has  a  further  important  ramification:  the  instantia^ 
tion  algorithm  must  be  effective  on  ill-typed  terms.  Otherwise,  there  is  a  circularity 
between  instantiation  and  typing,  leading  to  a  very  complex  meta-theory.’^  Since 
the  substitution  principle  does  not  hold  for  ill-typed  terms,  we  allow  the  witnessing 
instantiation  algorithm  to  report  failure  or  yield  garbage  on  ill-typed  input;  e.g., 
inst-n/i(x.x  x,Xx.x  x)  =  fail.  Garbage  in,  garbage  out,  but  at  least  we  get  our 
garbage  out  in  finite  time! 

®  Here  and  in  the  reminder  we  use  x  genericeJly  for  either  a  linear  or  unrestricted  variable. 
’  This  circularity,  which  the  present  treatment  of  CLF  avoids,  is  analogous  to  the  dif¬ 
ficulties  encountered  in  the  early  reduction-oriented  treatments  of  LF,  where  typing 
refers  to  equality,  which  is  decided  by  normalization,  but  normalization  is  only  effective 
for  well-typed  terms. 
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treduce/i(x.  R)  =  B  [Type  reduction] 

treduceyi(a.a:)  = 

treduce/»(a:,  R  N)  s  C  if  treduce/i(i.  R)  =  B  —*  C 
reduce/!  (x.  R,  No)  =  N'  [Reduction] 

reduce/4(i.  XjJVo)  =  ATo 

reduce/! (x.  R  N,  No)  =  inst.nB(y-  N',  instji/!(x.  N,  No)) 

if  treduce/!(x.  R)  =  B  —>  C  and  reduce/!  (x.  R)  No)  =  Ay.  N' 

inst_r/!(x.  R,  No)  =  R'  [Atomic  object  instantiation] 

inst_r/!(x.  c,  No)  =  c 
inst_r/!(x.y,  Afo)  =  y  if  y  is  not  x 

inst.r/i(x.  R  N,  Nq)  =  (inst.r/i(x.  R,  No))  (inst.n^(x.  N,  Nq)) 

inst_n/!(x.  Af,  Afo)  =  N'  [NormaJ  object  instantiation] 

inst-n/i(x.  Ay.  Af.Afo)  s  Ay.  inst-n/!(x.  Af,  A/o)  if  y  ^  FV(Afo) 
inst-n/!(x.  R,  No)  =  inst-r/i(x.  R,  No)  if  head(Ji)  is  not  x 
inst.n/i(x.  R,  No)  =  reduce/i(x.  R,  No)  if  treduce/!(i.  R)  ~  a 

Fig.  5.  Instantiation,  LPo 

3.2  Instantiation 

Space  constraints  preclude  the  incorporation  of  all  the  cases  of  the  definitions  of 
these  operators.  Full  details  are  available,  of  course,  in  our  technical  report  [36]. 

We  begin  by  examining  the  cases  for  the  LFq  fragment  of  instantiation,  shown 
in  Figure  5.  The  recurrence  defining  instantiation  is  based  on  the  observation, 
exploited  in  cut  elimination  proofs  on  the  logical  side  [30],  but  not  so  well  known  on 
the  type  theoretic  side,  that  the  canonical  result  of  substituting  one  canonical  term 
into  another  can  be  defined  by  induction  on  the  type  of  the  term  being  substituted. 
Accordingly,  the  instantiation  operators  are  defined  as  a  family  parameterized 
over  the  type  of  the  object  being  substituted.  In  the  notation  inst.C/i(x.  X,  N)  this 
type  A  appears  as  a  subscript.  Here  c  is  replaced  by  a  mnemonic  for  the  particular 
syntactic  category  to  which  the  instantiation  operator  applies.  The  variable  x  is  to 
be  considered  bound  within  the  term  X  (of  whatever  category)  being  substituted 
into.  The  operators  defined  in  this  section  should  be  thought  of  as  applying  to 
equivalence  classes  of  concrete  terms  modulo  a-equivalence  on  bound  variables. 

Together  with  the  instantiation  operators,  and  defined  by  mutual  recursion 
with  them,  is  a  reduction  operator  reduce a(x.  R,  N)  that  computes  the  canonical 
object  resulting  from  the  instantiation  of  x  with  N  in  the  case  that  the  head  vari¬ 
able  head(/Z)  of  the  atomic  object  R  is  x.  Thus,  roughly  speaking,  it  corresponds 
to  the  idea  of  weak  head  reduction  for  systems  with  /?-reduction.  The  instantiation 
operator  inst-r/!(x.  R,  N),  by  contrast,  is  only  defined  if  the  head  of  R  is  not  x.  An- 
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[Normal  object  instantiation,  extended] 


inst_n/»(a:.  N,  No)  =  N' 

inst_ny4(i.  {£},  No)  =  {inst-ey»(i.  E,  No)) 

inst.m^(x.M,No)  s  M'  [Monadic  object  instantiation] 

inst-m^ (i.  Ml  ®  Mo,  No)  =  inst_nfiyi(i.  Mi,No)  ®  inst.m^(a:.  Mz,  No) 
inst_m/i(a:.  l,No)  =  1 
inst.nriyi(x.!N,No)  =  !(inst_n^(a;.N,No)) 
inst-my»  (x.  N,  No)  s  inst.n/i  (x.  N,  No) 

inst.e^(x.£,No)  s  £'  [Expression  instantiation] 

inst_eyi(x.  let  {p}  =  R  inE,  No)  s  (let  {p}  =  inst.r>»(x.  R,  No)  in  inst.eyt{x.  E,  No)) 
if  head(iJ)  is  not  x, 
and  FV(p)  n  FV(No)  is  empty 

inst.e/i(x.  let  {p}  =  R  in  E,  No)  =  match.es(p.  inst-e,4(x.  E,  No),  K') 
if  treduce,4(x.  R)  =  {5},  reduce,4(x.  R,  No)  =  . 

and  FV(p)  nFV(No)  is  empty 

inst-e,4(x.  M,  No)  =  inst.m/»(x.M,No) 

match.ms(p.  E,  Mo)  =  E'  [Match  monadic  object] 

match.nisi®sj(pi  ®P2.£,Mi  ®  Mz)  =  match.mszCpz.match.msjCpi.B.Mij.Mz) 
if  FV(p2)  n  FV(Mi)  is  empty 
matchjni(l.  E,l)  =  E 
match-rnMCIs:.  £,  IN)  =  inst-e/i(x.  E,  N) 
matchjny»(x.E,  N)  =  inst.e/i(x.  £,N) 

match.es(p.J5,£'o)s£;'  [Match  expression] 

match_es(p-  E,  let  {po}  =  iio  in  Eo)  =  let  {po}  =  Ro  in  match_es{p-  E,  Eo) 
if  FV(po)  n  FV(E)  and  FV(p)  n  FV(£;o)  are  empty 
match.es(p.  E,Mo)  =  match-ms(p.  E,  Mo) 

Fig.  6.  Instantiation,  extended 
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expand^  (J?)  =  N 


[ExpEuision] 


expand„(/i)  =  R 

expand^_oB(-R)  =  Ax.  expandB(Jl'^(expand^(x)))  ifx^FV(i?) 
expand^_B(.R)  =  Ax.  expanda(/2  (expand^ (x)))  if  x  ^  FV(ii) 
expandyjijB(ii)  =  {expand^(7riii),expandB(5r2ii)) 
expandy(ii)  =  ()  . 

expand{sj(i?)  s  (let  {p}  =  72  in  pexpands(p)) 

pexpand5(p)  =  M  [Pattern  expansion] 

pexpandB,gSj(pi  ®  P2)  s  pexpandsj(pi)  ®  pexpandsj(p2) 

pexpandi(l)  =  1 
pexpand,^(!x)  =  !(expand^(x)) 
pexpand^(x)  =  expand^  (x) 

Fig.  7.  Expansion 

other  distinguishing  feature  is  that  reduction  on  an  atomic  object  yields  a  normal 
object,  while  instantiation  on  an  atomic  object  yields  an  atomic  object. 

Finally,  there  is  a  type  reduction  operator  treduce/i(x.  R)  that  computes  the  pu¬ 
tative  type  of  R  given  that  the  head  of  fl  is  x  and  the  type  of  x  is  A.  Type  reduction 
is  used  in  side  conditions  that  ensure  that  the  recurrence  defining  instantiation  is 
well-founded. 

The  recurrence  defining  these  operators  is  based  on  a  structural  induction. 
There  is  an  outer  induction  on  the  type  subscripting  the  operators,  and  an  inner 
simultaneous  induction  on  the  two  arguments.  Noting  first  that  if  treducey((x.ii) 
is  defined,  it  is  a  subterm  of  A,  the  fact  that  the  recurrence  relations  respect 
this  induction  order  can  be  verified  almost  by  inspection.  The  only  slightly  subtle 
case  is  the  equation  for  reduce,4(x.  J?  N,No),  which  is  the  only  case  in  which 
the  subscripting  type  changes.  Here  the  side  condition  treduce>i(x.  R)  =  B  C 
ensures  that  B  must  be  a  strict  subterm  of  A  for  the  reduction  to  be  defined.  An 
instantiation  such  as  inst-n>i(x.  x  x.  Ax.  x  x)  is  guaranteed  to  fail  the  side  condition 
after  only  finitely  many  expansions  of  the  recurrence. 

Another  way  in  which  an  instance  of  the  instantiation  operators  might  fail 
to  be  defined  would  be  if  the  recursive  instantiation  inst_r2i(x.  R,  No)  in  the  same 
equation  failed  to  result  in  a  manifest  lambda  abstraction  Xy.  N'.  In  fact,  this  could 
only  happen  if  the  term  No  failed  to  have  the  ascribed  type  A.  So  instantiation 
always  terminates,  regardless  of  whether  its  arguments  are  well  typed,  but  it  is  not 
defined  in  all  cases.  After  the  meta-theory  is  further  developed,  it  can  be  shown 
that  instantiation  is  always  defined  on  well-typed  terms  when  the  types  match  in 
the  appropriate  way. 

The  cases  of  instantiation  involving  the  monad,  shown  in  Figure  6,  are  not 
without  interest.  These  lean  heavily  on  prior  work  on  proof  term  assignments  for 
modal  logics  [33]. 
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In  order  to  extend  instantiation  to  the  full  CLFq  language,  with  its  pattern- 
oriented  destructor  for  the  monadic  type,  it  is  necessary  to  introduce  matching 
operators  match.cs(p  .E,X),  where  X  is  either  an  expression  or  a  monadic  object. 
The  matching  operator  computes  the  result  of  instantiating  E  according  to  the 
substitution  on  the  variables  of  p  generated  by  matching  p  against  X.  (The  variables 
in  p  should  be  considered  bound  in  E.)  In  the  case  that  X  is  a  monadic  object 
Mo,  this  is  straightforward:  the  syntax  of  monadic  objects  corresponds  precisely 
to  that  of  patterns.  But  in  the  case  that  X  is  a  let  binding,  an  interesting  issue 
arises: 

match_es(p.  let  {pi}  =  Ri  in  let  {pa}  =  R2  in  E2)  =  ? 

The  key  is  found  in  Pfenning  and  Davies’  non-standard  substitutions  for  the 
proof  terms  of  the  modal  logics  of  possibility  and  laxity  [33].  These  analyze  the 
structure  of  the  object  being  substituted,  not,  as  in  the  usual  case,  the  term  being 
substituted  into.  The  effect  is  similar  to  a  commuting  conversion: 

match.es(p. let  {pi}  =  Ri  in  £?!, let  {pa}  =  R2  in  E2)  = 

(let  {pa}  =  R2  in  match_es(p. let  {pi}  =  Ri  in  E\,E2)) 

It  is  interesting  that  both  non-standard  substitution  and  pattern  matching — 
the  latter  not  present  in  Pfenning  and  Davies’  system — rely  in  this  way  on  an 
analysis  of  the  object  being  substituted  rather  than  the  term  being  substituted 
into.  In  a  sense,  this  commonality  is  what  makes  the  harmonious  interaction  be¬ 
tween  CLF’s  modality  and  its  synchronous  types  possible. 

The  induction  order  mentioned  above  leads  immediately  to  the  following  the¬ 
orem. 

Theorem  1  (Definability  of  instantiation).  The  recurrence  for  the  reduction, 
instantiation,  and  matching  operators  uniquely  determines  the  least  partial  func¬ 
tions  (up  to  a-equivalence)  solving  them. 

Proof.  The  proof  is  by  an  outer  structural  induction  on  the  type  subscript,  and 
an  inner  simultaneous  structural  induction  on  the  two  arguments.  O 

3.3  Expansion 

The  definition  of  expansion  is  shown  in  Figure  7.  In  some  cases,  new  bound  vari¬ 
ables  are  introduced  on  the  right-hand  side  of  an  equation.  Any  new  variables  in 
an  instance  of  such  an  equation  are  required  to  be  distinct  from  one  another  and 
from  any  other  variables  in  the  equation  instance. 

Again  there  is  a  definability  theorem  based  on  the  induction  order  implicit  in 
the  equations. 

Theorem  2  (Definability  of  expansion). 

1.  //pexpand5(pi)  and  pexpand5(p2)  ore  both  defined  thenpi  andp2  are  the  same 
up  to  variable  renaming. 

2.  Given  S,  there  is  a  pattern  p,  fresh  with  respect  to  any  given  set  of  variables, 
such  that  pexpandg(p)  is  defined. 
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S.  The  recurrence  for  expansion  uniquely  determines  it  as  a  total  function  up  to 
Q-equivalence. 

Proof.  The  first  part  is  by  induction  on  S.  The  second  and  third  parts  are  by 
induction  on  the  type  subscript,  using  the  first  part  to  ensure  that  the  result  of 
expand{5}(ii)  is  unique  up  to  a-equivalence.  □ 

3.4  Further  results 

The  following  theorem  is  proved  in  the  full  generality  of  the  dependent  case  in  the 
technical  report  [36].  The  identity  and  substitution  principles  follow  immediately. 

V 

Theorem  3  (Identity  and  substitution  principles).  The  following  rules  are 
admissible. 

r\  A  h  R  A 
F;  At  expand^  (J?)  ■<=  A 

r-,-tNo^A  r,x:A-,A\-N<=C  r-,Ai\-No<=A  F;  A2,x'^A  t  N  <=  C 
F;  At  inst.nyi(a;.  N,  Nq)  <=  C  F\  A\,A2  h  inst_n,4(a:.  N,  No)  <=  C 

Proof.  By  straightforward  inductions.  □ 

In  the  dependently-typed  case,  lemmas  concerning  the  algebraic  laws  satisfied 
by  expansion  and  instantiation  (roughly  analogous  to  confluence  results)  and  con¬ 
cerning  the  interaction  of  equality  and  instantiation  are  required.  Other  notable 
theorems  (which,  in  the  dependently-typed  case,  are  actually  needed  to  prove  the 
theorem  above)  include  the  following. 

Theorem  4  (Decidability  of  equality).  Given  and  N2,  it  is  decidable  whe- 
ther  Ni  =  N2. 

Proof.  The  formulation  of  the  equality  rules  is  nearly  syntax-directed,  so  a  simul¬ 
taneous  structural  induction  on  the  subjects  of  the  judgment  suffices.  It  remains 
only  to  observe  that  an  expression  can  be  decomposed  into  a  concurrent  context 
and  subexpression  in  finitely  many  ways.  □ 

Theorem  5  (Decidability  of  instantiation  and  expansion).  Jt  is  decidable 
whether  any  instance  of  the  instantiation  and  expansion  operators  is  defined,  and 
if  so,  it  can  be  effectively  computed. 

Proof.  For  instantiation,  this  is  proved  by  a  simultaneous  structural  induction 
on  the  substituend,  the  term  substituted  into,  and  the  putative  type  of  the  sub- 
stituend.  For  expansion,  the  induction  is  over  the  structure  of  the  type.  □ 

Theorem  6  (Decidability  of  typing).  It  is  decidable  whether  any  instance  of 
the  typing  judgments  is  derivable. 

Proof.  By  structural  induction  on  the  subject  of  the  judgments.  D 
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In  the  dependently-typed  case,  the  inference  rules  for  typing  are  also  structured 
in  a  syntax-directed  manner,  leading  to  a  very  simple  proof  of  decidability  [36]. 
This  is  a  substantial  technical  improvement  over  prior  presentations  of  even  the 
LF  sublanguage  alone. 

The  interaction  of  equality  and  substitution  is  particularly  important,  since 
CLF’s  equality  is  where  concurrency  enters.  Thus,  the  following  theorems  describe, 
in  essence,  how  concurrent  computations  modeled  in  our  framework  compose. 

Theorem  7.  Concurrent  equality  Ni  =  N2  is  an  equivalence  relation. 

Proof.  Reflexivity,  symmetry,  and  transitivity  can  each  be  proved  by  structural 
inductions  (with  appropriate  lemmas,  also  proved  by  structural  induction)  [36]. 

>  .  □ 

Theorem  8.  IfN  =  N'  and  No  =  JVJ  then  inst_n>i{x.  N,  No)  =  inst.n^(x.  N',  Nq), 
assuming  one  side  or  the  other  is  defined. 

Proof.  The  proof  appeals  to  composition  laws  for  instantiation  and  a  number  of 
other  technical  lemmas.  The  inductive  proofs  of  these  lemmas  and  the  main  the¬ 
orem  follow  the  same  induction  order  as  for  the  decidability  result  [36].  □ 

Theorem  9.  If  R  =  R'  then  expand^(J?)  =  expand^ (i?'). 

Proof.  This  follows  by  structural  induction  on  A.  O 

4  Related  Work 

Past  research  has  identified  two  main  approaches  to  encoding  concurrent  com¬ 
putations  in  linear  logic.  Abramsky’s  proofs-as-processes  [6]  assumes  a  functional 
perspective  where  process  interaction  is  captured  by  cut-elimination  (normaliza¬ 
tion)  steps  over  linear  logic  derivations.  A  second  direction,  which  may  be  identified 
with  the  slogan  proofs- as-traces  (and  formulas-as-processes),  models  dynamic  pro¬ 
cess  behaviors  as  proof-search,  generally  in  the  style  of  (linear)  logic  programming 
[24, 2, 25, 22, 14, 9]. 

CLF  follows  this  second  path,  stressing  a  one-to-one  correspondence  between 
CLF  proof-terms  and  process  executions  (traces)  [13].  CLF  differs  from  most  of 
these  proposals  in  two  respects:  first,  it  is  a  fully  dependent  logicEil  framework, 
which  means  that  it  expresses  not  only  the  constructs  of  an  object  process  calculus 
and  their  behavior,  but  also  executions  themselves  and  meta^reasoning  about  them. 
Second,  the  concurrent  equality  intrinsically  supports  true  concurrency. 

To  the  authors’  knowledge,  Honsell  et.  al.  [20]  describe  the  most  significant 
application  of  a  logical  framework  in  the  sphere  of  concurrency.  They  elegantly 
encode  the  7r-calculus  with  substantial  meta-theory  in  the  calculus  of  construc¬ 
tions  with  inductive/coinductive  types  (CC^^*’)^"'*).  However,  since  the  notion  of 
equality  of  does  not  identify  permutable  computations,  more  advanced 

meta-theoretic  investigations  would  require  tedious  coding  of  an  equivalence  sim¬ 
ilar  to  CLF’s  concurrent  equality. 
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The  idea  of  monadic  encapsulation  goes  back  to  Moggi’s  monadic  meta-language 
[27, 28]  and  is  used  heavily  in  functional  programming.  Our  formulation  follows  the 
judgmental  presentation  of  Pfenning  and  Davies  [33],  which  completely  avoids  the 
need  for  commuting  conversions,  but  the  latter  treats  neither  linearity  nor  the 
existence  of  normal  forms.  The  exploration  of  monads  in  logic  programming  by 
Bekkers  and  Tarau  [5]  concentrates  on  the  use  of  monads  for  data  structures  and 
all-solution  predicate.  This  is  quite  different  from  our  application  and  concerned 
neither  with  additional  logical  connectives  nor  a  true  extension  of  the  operational 
semantics.  Benton  and  Wadler  [7]  explore  the  relationship  of  Moggi’s  monadic 
meta-language  and  term  calculi  for  linear  logic  with  Benton’s  adjoint  calculus, 
which  bears  some  intriguing  similarities  with  CLF.  However,  it  is  not  a  type  the¬ 
ory,  and  the  logical  connectives  (such  as  implication)  common  to  lax  logic  and 
linear  logic  retain  separate  identities,  rather  than  being  combined,  as  in  CLF. 

The  method  of  defining  a  type  theory  by  a  typed  operational  semantics  goes 
back  to  the  Automath  languages  [15]  and  has  been  applied  to  LF  by  Felty  [16]. 
Our  canonical  formulation  significantly  extends  and  streamlines  the  ideas  behind 
Felty ’s  canonical  LF  and  its  extension  to  LLF  [12];  the  need  for  confluence  and  p- 
normalization  results  is  eliminated.  A  similar  philosophical  outlook,  but  different 
technical  realizations  underly  PAL-I-  [23]  and  work  by  Adams  [1] ,  who  also  consider 
frameworks  restricted  to  normal  forms. 


5  Conclusion 

In  this  paper,  we  have  presented  the  basic  design  of  a  logical  framework  that  in¬ 
ternalizes  parametric  and  hypothetical  judgments,  linear  hypothetical  judgments, 
and  true  concurrency.  This  supports  representation  of  a  wide  variety  of  concepts 
related  to  logic  and  computation  in  a  natural  and  concise  manner.  It  also  poses  a 
host  of  new  questions. 

One  of  the  practically  important  features  of  the  linear  logical  framework  is  its 
operational  interpretation  as  a  logic  programming  language  using  goal-directed 
proof  search  [19, 10].  We  conjecture  that  CLF  supports  a  conservative  extension  of 
this  operational  semantics.  We  have  already  constructed  a  representation  of  Mini- 
ML  with  concurrency  and  parallelism  anticipating  such  an  interpretation  [13]. 

Concurrent  computations  in  an  object  language  are  internalized  as  moneidic 
expressions  in  CLF.  The  framework  allows  type  families  indexed  by  objects  con¬ 
taining  such  expressions,  which  means  it  is  possible  to  formulate  properties  of 
concurrent  computations  and  relations  between  them.  Examples  are  safety  and 
possibly  liveness  properties,  bisimulations,  and  other  translations  between  models 
of  computations. 

Petri  nets  and  other  case  studies  have  shown  that,  in  many  cases,  computations 
should  be  indistinguishable  also  when  threads  interact  over  isomorphic  objects.  It 
appears  that  this  can  be  achieved  by  integrating  the  notion  of  proof  irrelevance  [31, 
34]  within  CLF.  Once  this  extension  has  been  fully  worked  out,  CLF  would  be 
able  to  provide  an  adequate  representation  to  Petri  nets  under  the  collective  token 
philosophy,  for  example. 
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